On Tue, Apr 11, 2006 at 05:46:16PM -0700, Dave Crocker allegedly wrote:
Well, you may want to sign twice for an extended period, say if
sig1 is rsa-sha1 and sig2 is rsa-sha256 and it takes a year or more
before you're confident that a sufficient number of peers have
deployed sha256 verifiers.
This presumes that a signature is expected to validate a year after it was
created. Since DKIM is for transit, why would anyone expect a validation
to occur that far into the future?
I don't think that's his point. His point is that it takes a year to
be confident that sufficient verifiers understand the new signature
type. IOW that year is the transition time for verifiers.
So yes, Jonathan, you have precisely described the case for two
signatures being generated by a signer - as a transition away from a
deprecated algorithm.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html